diff --git a/bigbluebutton-html5/imports/api/meetings/server/modifiers/addMeeting.js b/bigbluebutton-html5/imports/api/meetings/server/modifiers/addMeeting.js
index 86321e7f7e331a1f1300eb00272cc8644880127e..cded1233cb582f13181e6f8b0dc7a241e74a2bb5 100755
--- a/bigbluebutton-html5/imports/api/meetings/server/modifiers/addMeeting.js
+++ b/bigbluebutton-html5/imports/api/meetings/server/modifiers/addMeeting.js
@@ -106,30 +106,44 @@ export default function addMeeting(meeting) {
   const meetingEnded = false;
 
   let { welcomeMsg } = newMeeting.welcomeProp;
-  const sanitizedText = SanitizeHTML(welcomeMsg, {
+  const sanitizedWelcomeText = SanitizeHTML(welcomeMsg, {
     allowedTags: ['b', 'strong', 'i', 'u', 'a', 'br'],
     allowedAttributes: {
       a: ['href', 'name', 'target'],
     },
   });
-  welcomeMsg = sanitizedText.replace(
+  welcomeMsg = sanitizedWelcomeText.replace(
     'href="event:',
     'href="',
   );
 
-  newMeeting.welcomeProp.welcomeMsg = welcomeMsg;
-
   const insertBlankTarget = (s, i) => `${s.substr(0, i)} target="_blank"${s.substr(i)}`;
   const linkWithoutTarget = new RegExp('<a href="(.*?)">', 'g');
-  linkWithoutTarget.test(newMeeting.welcomeProp.welcomeMsg);
+  linkWithoutTarget.test(welcomeMsg);
 
   if (linkWithoutTarget.lastIndex > 0) {
-    newMeeting.welcomeProp.welcomeMsg = insertBlankTarget(
-      newMeeting.welcomeProp.welcomeMsg,
+    welcomeMsg = insertBlankTarget(
+      welcomeMsg,
       linkWithoutTarget.lastIndex - 1,
     );
   }
 
+  newMeeting.welcomeProp.welcomeMsg = welcomeMsg;
+
+  const { modOnlyMessage } = newMeeting.welcomeProp;
+
+  const sanitizedModOnlyText = SanitizeHTML(modOnlyMessage, {
+    allowedTags: ['b', 'strong', 'i', 'u', 'a', 'br'],
+    allowedAttributes: {
+      a: ['href', 'name', 'target'],
+    },
+  });
+
+  // note: as of July 2020 `modOnlyMessage` is not published to the client side.
+  // We are sanitizing this data simply to prevent future potential usage
+  // At the moment `modOnlyMessage` is obtained from client side as a response to Enter API
+  newMeeting.welcomeProp.modOnlyMessage = sanitizedModOnlyText;
+
   const modifier = {
     $set: Object.assign({
       meetingId,
diff --git a/bigbluebutton-html5/imports/ui/components/join-handler/component.jsx b/bigbluebutton-html5/imports/ui/components/join-handler/component.jsx
index 3bb0d608fb7e7a86fcdb86002a9ac6b935a2c1d3..e7a4444dd84404429ed02d2e49a296397734f0d1 100755
--- a/bigbluebutton-html5/imports/ui/components/join-handler/component.jsx
+++ b/bigbluebutton-html5/imports/ui/components/join-handler/component.jsx
@@ -1,6 +1,7 @@
 import React, { Component } from 'react';
 import { Session } from 'meteor/session';
 import PropTypes from 'prop-types';
+import SanitizeHTML from 'sanitize-html';
 import Auth from '/imports/ui/services/auth';
 import { setCustomLogoUrl, setModeratorOnlyMessage } from '/imports/ui/components/user-list/service';
 import { makeCall } from '/imports/ui/services/api';
@@ -141,7 +142,13 @@ class JoinHandler extends Component {
 
     const setModOnlyMessage = (resp) => {
       if (resp && resp.modOnlyMessage) {
-        setModeratorOnlyMessage(resp.modOnlyMessage);
+        const sanitizedModOnlyText = SanitizeHTML(resp.modOnlyMessage, {
+          allowedTags: ['b', 'strong', 'i', 'u', 'a', 'br'],
+          allowedAttributes: {
+            a: ['href', 'name', 'target'],
+          },
+        });
+        setModeratorOnlyMessage(sanitizedModOnlyText);
       }
       return resp;
     };